Re: [PHP] safe mode bug ?
On So, Jun 06, 2004 at 02:36:13 +0200, Robert Hensel <robert@hensel.nl> wrote:
> Hi,
>
> I came upon a strange problem when trying to list directory's in safe
> mode as a normal user. Of course I expected this not to work, because
> safe_mode disables the possibility of reading files that not belong to
> the owner of the PHP-file. However, it does not seem to check for
> directory ownerships. (debian stable, PHP4.1.2). PHP does give a warning
> about safe_mode (as seen below) but then nicely lists the directory :(
> This means any user can just browse through any dir. on my system. PHP
> obviously still obeys UNIX file permissions so i could tighten up those,
> and enable basedir restrictions and stuff, but it looks to me that this
> is just a (major) bug ?
Hello,
it is widely known that safe_mode is not really safe.
You might want to restrict access with open_basedir .
The most secure solution is still to install php's cgi executable in an
suexec environment.
Reply to: